Force kernel AES-NI usage on a VPS without the aes CPU flag

First of all, thanks to @rm_ for his brilliant blog post on forcing OpenSSL to use the AES-NI instruction set when the CPU of a VPS does not report its existence while it is actually supported. This is a counterpart that forces the Linux kernel to use AES-NI when QEMU does not pass through that flag, which is useful for IPSec, disk encryption, etc.

It turns out to be fairly simple with a kernel module. Just shove these two lines into any hello world boilerplate that you can find in a "how to write Linux kernel modules" tutorial.

#include <linux/bitops.h>
set_bit(153, (unsigned long *)(boot_cpu_data.x86_capability));


The magic number 153 is taken from arch/x86/include/asm/cpufeatures.h . It is trivial to enforce the usage of another CPU feature (e.g., AVX) with another magic number.

After inserting your own module, manually modprobe aesni_intel should do the trick.

On one of my KVM servers, the result of cryptsetup benchmark increased from

# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 169.8 MiB/s 167.3 MiB/s


... to ...

# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 678.2 MiB/s 2201.4 MiB/s

Top News